28

The official aws documentation on how to send a Textmessage with the aws SDK in java is pretty straightforward.

However, when sending a message like shown in the example at the bottom, I'm getting the error User: arn:aws:iam::xxx:user/sms-testing is not authorized to perform: SNS:Publish on resource: +999999999

Note that +999999999 is the phone number passed to the .withPhoneNumber() call, so the aws api complains about my IAM user not having the necessary permission to SNS:Publish a message to the resource with that phone number.

My question: How do I create an IAM user which is able to send SMS notifications through the java SDK? Currently, it looks like I would have to create a permission for each number I'm sending messages to, which seems weird and hard to maintain.

Community
  • 1
  • 1
pulse00
  • 1,294
  • 1
  • 16
  • 25

2 Answers2

66

The error is telling you that your IAM user "sms-testing" does not have permission to publish to SNS (SNS:Publish) to that resource. Your IAM user probably does not have the SNS:Publish permission at all, which means you can't publish anything. If that is the case, you just need to add the following IAM policy to your user OR add the policy to the IAM Group from which your IAM user belongs.

The link below should take you right to the IAM console to edit permissions for the "sms-testing" user. Also below is a sample policy allowing the IAM user to publish anything to SNS (SMS, Topics, Endpoints, etc..).

If you want to lock down permissions a bit, you would modify the "Resource" and specify a specific SNS resource like Topic or application arn. If you are unable to edit the IAM user policy, you'll need to get your administrator to add this policy for you.

Modify your IAM user: https://console.aws.amazon.com/iam/home?region=us-east-1#users/sms-testing

Sample policy for allowing SNS Publish to ALL resources:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "Resource": "*"
        }
    ]
}

Since SNS does not have an SMS resource, you can do a bit of a hack and "Deny" all SNS publishing to Topics and Platform Applications and then allow publish to the rest which leaves only SMS (for now).

Here's a sample policy allowing only publish to SMS and denying publishing to topics and applications (push notifications):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "sns:Publish"
            ],
            "Resource": "arn:aws:sns:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "Resource": "*"
        }
    ]
}
starball
  • 20,030
  • 7
  • 43
  • 238
Dennis H
  • 1,549
  • 11
  • 9
  • 1
    thanks, authorization works with the wildcard policy. It's a bit open then though - if i understand it correctly the iam user can now publish to any topic in the account. The problem with specifying a topic seems to be that i then need to add a subscription to the topic of type "SMS" where i need to hardcode the target phone number. Is there a way i can lock down the permission in a way that the user can only send sms (to any number) and not publish to any other topic? – pulse00 Aug 13 '16 at 07:00
  • I also have this same question. @pulse00 were you able to figure out how to restrict SMS access? – kennyjwilli Dec 30 '16 at 02:11
  • 1
    pules00 - I updated the original answer with a policy allowing only publish to SMS. kennyjwilli - Allowing publish to any resource other than SMS does not seem possible at this time. – Dennis H Jan 06 '17 at 19:39
  • instead of all resource it'll be good to use specific resource which is publishing the message – Mrityunjay May 20 '20 at 14:19
  • Thanks a lot! True life saver. AWS permissions are way too weird... No one should spend hours trying to figure out what kind of hack need to be done. – Claudson Martins Aug 24 '20 at 23:21
0

Another way this can be fixed is by applying the following policy to your role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "NotResource": "arn:aws:sns:*:*:*"
        }
    ]
}

This uses the NotResource JSON Policy Element (docs)

pawel
  • 1
  • 3